.

Conversations With Cybersecurity’s Undervalued Workforce – Part 4

Rebecca Herold is CEO and Founder of The Privacy Professor® consultancy she established in 2004, and is Co-Founder and President of SIMBUS, LLC

What advice would you provide to women thinking about a career in cybersecurity & technology?

There are unlimited areas of advice which I am confident you are finding through your collection of these stories. The tech industry has gone through many changes since I started as a systems engineer in 1988, but there are still long-standing useful and effective types of advice that are still relevant, and will continue to be relevant as long as there is a tech industry.

Here is some advice I’ve actually provided a couple of times in the past month. I’ve had a couple of different young women, each with 2 and 5 years of experience, generally say to me, “I’ve tried to get involved with the XXXX (two different large regional privacy and cybersecurity conferences) conference, so I sent a message to the woman who was on the speakers committee, but she never replied to me. I don’t know why. Oh, well.”
I asked each: “Did you follow-up, with an email or call?” One said she sent one follow-up email, the other did no follow-up.

I’ve seen this lack of active initiative to be common in the young careers of women (as well as for women with many years of experience). As I explained to each of these women, if you want to contribute to an event, project, or anything else that is going on, and the person contacted is not responsive after the first, second, or even seventh contact, don’t give up if it is important to you.

I also was hesitant to be assertive when I started in my career, but I soon learned that it is valuable to continue to let your interest be known if there is something to which you want to contribute. Some examples:

• If you want to speak at a conference, or be part of the planning committee, don’t just stop at contacting one person on the committee, and don’t stop after just one, or even two contacts. I’ve found that those who truly want to get involved to widen their industry contacts, to share their knowledge and expertise, and to take their career to potentially new, and yet unrecognized opportunities, must be more persistent in letting event organizers and project group leaders know they want to be involved. Women must be more visibly and actively pursuing these types of roles and activities. Don’t sit back and wait to get a reply from a single call or a single email. Keep contacting the people (more than one of the leaders) to ask to participate until you either get accepted, or get a clear indication that you will not be included. If you are turned down, then don’t stop there. Ask them how you can be involved for future events, projects, etc.

• If you want to be part of a working group (e.g,. in IEEE, ACM, ISACA, IAPP, etc.), get in touch with all the leaders of the group, not just one of them, and let them know you want to be involved. If you get no response, keep calling and emailing until someone responds. If you are turned down for any reason, ask them to let you know why, and then also to let you know of other opportunities; then check back with them every quarter or so to ask if there are now new opportunities. If you are included in the working group, be active! Do not just show up for meetings and not contribute. You need to let people know your ideas, and demonstrate your capability and ambition for the topic.

So, in general, be more proactive, be more visible, be more contributory for the areas of the field where you want to work. Our male counterparts have long done this, and continue to do this. Women need to also step up and speak up to be included. And if you see someone else stepping up, don’t quit or step aside just because others are also interested. If you have the desire to participate and contribute, then focus on being one…or THE one…to be included. I’ve seen too many women early in their careers back down if someone else, man or woman, also pursues the same openings. If you want something, go for it! It may feel uncomfortable for the first few, or several, times you are assertive; I know it did for me. But if you want to be as successful as possible, you need to let your peers, industry leaders, and role models know that you are serious about your own success, and that you are going to persist despite any competition that may exist. Don’t let others intimidate you.

Are there any particular challenges that you have personally faced in your cyber career?

I started my career as a systems engineer at a large multi-national financial and healthcare corporation in 1988. I identified a vulnerability in how one of the major back office systems was designed and had an idea for how to mitigate it. I went to my new manager at the time, described my idea and sketched it out on the whiteboard in his office. He wasted no time telling me that it was a horrible idea, that none of the business unit heads would ever agree to do something so drastically different, that it had never before been done, and that they would likely view it just as more work for them. So, I explained how it would actually be less work for them, after which he literally yelled at me, “Stop! Your idea is bad! Quit wasting my time!” I considered quitting that day, but didn’t.

Two months later at the IT-wide quarterly meeting the IT Director announced a great new innovative idea that my manager had proposed to the business heads, who embraced the idea and were already doing actions to get it implemented. They also announced my manager had been promoted and would be moved to a different department for his fabulous idea, which they described…and it turned out to be my idea, right down to the drawings I made on his white board. I learned many valuable lessons from that situation. I have often wondered since then how often similar types of situations have occurred.

I actually got onto the information security, privacy and compliance path way back at the beginning of my career as a result of creating and maintaining the change control system at a large multinational financial/healthcare organization.

The programs were all housed in an IBM 390 mainframe (where most of them still are today; mainframes now seem to be high-speed application servers) divided into four regions for each of the several business unit regions.

My change control system was used to move a program from the development region to test region to the pilot/beta region, and finally to the production region within each of the applicable business unit regions. It was an online system that required authorizations for each of the moves. A manager had to approve, through the online system, of the move from development to test to pilot. A director had to approve of the move of a program from test to pilot, and from pilot to production, through the online system. The documented procedures required the managers and directors to carefully review the change documentation, and proof of thorough testing as signed off by the program team leader or manager, respectively, before they would provide their approval within the system.

The concept was good. The system was good. The procedures were good. Unfortunately many of the individuals using my change control system were not so good.

It was a real frustration for me to walk through the many different programming areas (we had around 800 programmers at the time) on Thursdays (the last day of the week for directors to approve of program changes to be moved into production on Friday) and see so many of the directors with their terminals logged on and open to access (no PCs were used in the programming area at the time…that actually didn’t change until the mid-1990s), and not even at their desks or in their offices, so that the programmers could go in and make the online approvals on the Directors’ terminals themselves!
That bothered me for a couple of reasons…
1. At a personal level, I wondered why I put so much time and effort into creating a sound, tightly controlled change control system, only to have the people authorized to use it defeat those controls. Many of you may think, “Whatever; get over it.” Fair enough. But then…
2. At a business level, I saw how dangerous this was. As a result of these managers and directors not really doing the reviews, each week we had a large number of production moves that had to be backed out on Friday afternoons because of the problems they caused. Many were very minor problems, but some brought the system to a standstill or even messed up the customer databases significantly before the problems were noticed.

After being responsible for this online change control system for almost two years, there was an opening in the IT Audit area. Working on the change control system helped me to see firsthand the importance of controls, so I applied for, and got, the IT Audit opening to learn more about how controls impact business.

After I went to the IT Audit area, the common practice for leaving unattended terminals and PCs logged in and unsecured, allowing others to use them, changed due to my initiative. In 1990 – 1991 I performed an enterprise-wide information security audit. I reviewed a very wide range of departments, and went deep into the details. It took around 7 months to complete. As a result of that audit, I recommended that an information security department be created. The executives were impressed with the audit report and assigned me to create the Information Protection department in 1991. I’m so happy I took that opportunity! I’ve been addressing privacy within business since 1994, when I was given the responsibility of establishing privacy requirements for what my business indicated was the first online bank. This was in addition to my responsibility for creating the information security requirements for the bank. There were no privacy laws at that time applicable to online banks (why would there be if ours was the first?), so the lawyers in the large organization where I worked said they were not obligated to determine privacy requirements when I asked them if they could get involved. However, I strongly believed it was important. So I convinced my senior vice president at the time to have privacy addressed. He indicated that since I felt so strongly about it, he would give me that privacy responsibility. Another great opportunity to do something that had never been done before within the organization, or at most other organizations. Since then I’ve welcomed the opportunity to identify privacy risks in new technologies and practices, in the absence of any laws or regulations, in a wide range of industries and also identify the cybersecurity controls to mitigate those risks. When opportunities arise, take them! Be the trailblazer and original expert in a new, specific field!

Here’s one from when I had around 10 – 12 years of experience:
I was working for an information security consulting company and it got acquired by an IT consulting business that purchased my employer to expand into the information security area. The managers there really knew nothing about information security but thought they did.

The manager I was assigned to report to had 4 years of IT experience, and I was told he was the business expert in information security policies. When I met with him the first time, at his request I told him about my experience writing the first information security policies for a multi-national, multi-services corporation throughout the 1990’s; he did not recognize my references to “access controls,” “BS7799,” NIST Information Security Standards, “encryption,” and a wide range of other terms and standards that those who worked with information security for any length of time would know. I came to find out that the information security policies he was an “expert” in were firewall settings policies. He had never thought about information security beyond firewalls before. Despite this, he was constantly criticizing and trying to tell me my work involving administrative, physical, and technical information security controls, and also CIA concepts, were incorrect; he was intimidated by my experience, and wanted to constantly establish his “superiority” (his word) through his constant criticisms.

Things were no better with the VP of Sales at that company. He directed all of us who did information security risk assessments to make the reports sound as bad as possible, and instead of providing descriptive recommendations our clients could implement themselves, to recommend instead that they contract our business to do the mitigation work. I hated that! I wanted to provide value to the clients and truly help them, not just create another sales path for a project as a result of a project just ending. I refused to word the risk assessment I was working on at the time we were acquired in that way. Soon after I got a “stern talking to” from the VP, telling me I’d better “shape up and get with the program,” I quit and took an offer at a different consulting business.

I literally was getting sick from working there; I frequently had headaches and developed a constant twitch in my left eye. I was so glad to leave. If you are ever at a business where you are miserable, find a way to leave, as soon as possible. It is not worth losing your health over keeping a job where the management are unethical and you hate every day of going to work. If you are good at what you do, and believe in yourself (and you NEED to believe in yourself) you will find another position.

Women, and men, need to realize that there will ALWAYS be challenges. Unless they are financially supported by a billionaire parent or otherwise, there will be challenges to face; most will be completely unexpected and often surprising, from the time they start their careers through to the time they leave their tech career, if they indeed ever do leave.

Personally, I’m planning to work for as long as possible. I love what I do so I can’t imagine ever leaving my work despite the challenges. Why leave something you love?

What are current diversity employment and training initiatives missing?

Several things are missing. We could write a book on this, but I’ll focus on one for now. I’ve seen for far too long this obsession by businesses with trying to determine “what can women do?” with regard to technology. Every business needs to understand this: Every person can do as much or as little as they choose! Gender truly does not matter!

A couple of years ago I gave a talk on women in tech at the Euro CACS conference in Copenhagen, and was happy to see around 1/3 of those in attendance at my session were men. The talk was well received. But one of the first audience questions really stuck with me as what too many organizations do wrong in their diversity initiatives. The question was, “What tech jobs are women good at doing?” He was sincere in wanting to know this. I answered, “Women can do any tech job; we are not limited. That is one of the problems; too many organizations think they need to target women for specific types of tech jobs, when the reality is, women are as capable as men of doing ANY type of tech job. Don’t think about trying to find specific types of tech jobs to fit women’s capabilities, because the fact is, women have all the same capabilities as men! Instead, think about how you can increase visibility of tech job positions to ALL people! Regardless of their gender.”

After my talk, he told me he really hadn’t thought about it that way before; he said his business had spent all their time trying to create tech jobs specifically for women. Huge mistake! Instead they should have been expanding their inclusiveness for ALL tech jobs to all genders!

ALL genders need to realize that any person who is of any gender has a brain and associated capabilities used to contribute to the tech field. We don’t think with our genitals, so let’s stop building initiatives around these long-standing views of differences in capabilities that have nothing to do with our abilities, and our possibilities of using our brains to succeed and contribute!

Also, I’ve found there is just as much bias against women in tech from women as from men. It definitely is not simply a problem with men not giving women a chance; it goes much deeper than that to long-standing views throughout the population in general about what women can do and are excelling at. Too many initiatives try to make this a men-against-women issue; it is not! Some of the strongest proponents of helping women to get into tech are men, and some of the biggest obstacles come from women. So any efforts that try to make this a men-against-women issue need to be stopped; they are more destructive than they are constructive.

A few years ago, I actually had a IT conference promoter, a woman who was their VP of Promotions, ask me to do a keynote that was in 8 months from the time when she invited me to speak for their large annual conference on an information security topic that I had done research in that had been widely published. After some negotiations, we both agreed to terms and set the date on the calendar. I didn’t hear from her for a few months, so around 3 months before the conference I contacted her to get the logistics. She sounded a bit flustered, then said that she decided a man would be a better draw from their conference, and so booked him (whom I’d never heard of and had around 5 years of experience in the field, not that it matters, but I know people will wonder) instead. So not only was she exceptionally unprofessional in how she handled the situation, basically trying ghosting to ignore me out of the event without speaking with me, but she also perpetuated with her own biased thoughts and actions the fallacy that women aren’t good in technology fields.

Are your role models found within or mostly outside of your industry?

Within the industry, I’ve looked often to the following as role models:
Melinda Gates. She has done phenomenally well in pursuing work she loves, while also then sharing her success through her philanthropic activities. I really admire that, and have learned a lot by looking at her career.

Robert Herjavec. I admire how he built his information security business from scratch to be so successful, sold it for a huge profit, and then spun his career upward from there. His story of being a self-made multi-millionaire has good lessons to learn.

Outside of the industry:
Warren Buffet. His life story and lessons from his huge business success provide good lessons to build upon. And the fact that he is a fellow US Midwesterner just a two-hour drive to the west of me provides a lot of things in common with which I can relate.

Mary Kay Ash. I’ve always found it pretty remarkable how she created a business from scratch, with a $5,000 loan, that today is in over 37 countries making over $200 million annually in sales. How she came to utilize consultants so effectively to sell her products provides good lessons in how to consider selling services and products in new ways.

Rebecca has over 25 years of systems engineering, information security, privacy and compliance experience. Rebecca is an entrepreneur; she is CEO and Founder of The Privacy Professor® consultancy she established in 2004, and is Co-Founder and President of SIMBUS, LLC, and information security, privacy, technology & compliance management cloud service for organizations of all sizes, in all industries, in all locations. Rebecca created the information security and privacy functions at a large multi-national financial and health care organization throughout the 1990s. Rebecca has authored 18 books to date, dozens of book chapters, and hundreds of published articles. Rebecca led the NIST SGIP Smart Grid Privacy Subgroup for seven years, was a founding member and officer for the IEEE P1912 Privacy and Security Architecture for Consumer Wireless Devices Working Group, and serves on the Advisory Boards of numerous organizations. Rebecca also serves as an expert witness for information security, privacy, and compliance issues. Rebecca was an Adjunct Professor for the Norwich University MSISA program for many years. Rebecca has provided invited keynotes on five continents, and has spoken at over 100 conferences, seminars and other events. Rebecca has received numerous awards for her work, is frequently interviewed, including regularly on the KCWI23 morning television show, and quoted in diverse broadcasts and publications. Rebecca has degrees in Mathematics, Computer Science and Education. Rebecca holds the following certifications: FIP, CISSP, CISA, CISM, CIPT, CIPM, CIPP/US, FLMI. Rebecca is based in Des Moines, Iowa. www.SIMBUS360.com, www.privacyprofessor.org, www.privacyguidance.com, rebeccaherold@rebeccaherold.com

Scott presents at cybersecurity conferences regularly as well as appearing on major TV networks including Fox, Bloomberg, Good Morning America, CNN, CGTN, CNBC, MSNBC and many more. Scott is responsible for development of many cell phone detection tools that enforce a “no cell phone policy” in correctional, law enforcement, and secured government facilities.Scott's latest book, 'Hacked Again', chronicles his own hacking story and is filled with security tips for consumers and small business owners. Scott is a contributor to Huffington Post, Tripwire (State of Security), Connected World and IDG in addition to Business Value Exchange, Fortune Magazine and IBM Big Data & Analytics Hub.